Component/s: Package Manager
Should note that while I do have Xcode 12 betas installed, Xcode on the machine where I've reproduced this is installed from the App Store and xcode-select is using that version, not Xcode 12.
Sorry if this isn't the correct place to report this but there's no issue tracker on the SPM repo and after writing a post about this issue someone pointed me to this Jira instance to report it here.
I've found an easy way for anyone to execute arbitrary code via Swift Package Manager in the Package.swift file:
The above code compiles and resolves correctly as a Package.swift file, and if hosted remotely somewhere like GitHub, the doSomething() function will be called as soon as it's resolved. Currently, that means in Xcode 11 it will call doSomething() silently before you've even finished adding the dependency since Xcode clones the repo and resolves the package before adding it to a target.
Example repo: https://github.com/KaneCheshire/maleficent To reproduce:
I have no idea the best way to make this safer at a SPM level, but since it provides a way for people to silently execute code at the same privilege level that Xcode has (since it's running inside an Xcode process) I wanted to raise the issue asap.